The Health Insurance Portability and Accountability Act (HIPAA) governs the collection, storage, use and destruction of patient health records. The most relevant sections of HIPAA, in relation to MedWiki, are the Privacy Rule and the Security Rule. The Privacy Rule mandates patients' access to their own records and an accounting of every person who has accessed the records in the previous six years. The Security Rule mandates that records must be stored and served securely, and that access only occur as necessary.

Do not store High Risk data, other than PHI, in any wiki (examples include, but are not limited to, credit card information and social security numbers)

You should not use MedWiki for PHI unless you have received basic HIPAA training as mandated by Stanford; ask your supervisor or department administrator what kinds of training are required for your position

Understand the specific policies and procedures that apply to your use of MedWiki; if your wiki will contain PHI, consult with the IRB compliance officer, or HIPAA compliance officer for your unit

All computers used to interact with wikis containing PHI should be secured and free of viruses.

Make the least possible use of PHI to accomplish your purpose; restrict access to users who need it

Don't exchange documents or text containing PHI via regular email; email is not secure without extra steps to encrypt it

Make sure all documents containing PHI are properly secured on your local computer, before and after uploading to MedWiki

In addition to the above responsibilities, Primary Authors are required to:

Ensure that only HIPAA-trained users have access to wikis containing PHI

Inform new users of their responsibilities under HIPAA (you can send them the URL of this page, plus any additional instructions needed)

Monitor activity in the wiki to ensure it is used in a HIPAA-compliant manner; quickly report any suspected problem or breach

Assist users to restrict access to pages and attachments so a minimal number of approved users have access to PHI

Ensure that users who have left the group associated with the wiki are removed from access in a timely manner.

Responsibilities

Primary Authors have responsibilities in addition to those of MedWiki users. A Primary Author is:

Administrator of the wiki, providing access to new users and removing access for users who leave the organization.

Responsible for ensuring the wiki s used in compliance with HIPAA.

The primary contact for the wiki.

How to Become a Primary Author

To become a Primary Author for an existing wiki, request access via the Web Help form, and indicate you will be a Primary Author for the wiki; please provide the wiki space name or URL, and your supervisor's name and contact information, in case we need to validate your authority for this role

To become a Primary Author of a new wiki, request the new wiki and indicate you will be the Primary Author

Primary Author Role

Review requests for access to the MedWiki space for appropriateness, and manage users in and out of the space in a timely manner.

Be a primary contact for the wiki.

Web Help will forward access requests to you.

Publicize the existence of the space to your group's appropriate members.

Answer basic questions about how to do things, refer users to training materials, and forward requests you can't resolve yourself to Web Help.